USBSCAN.SYS Divide by zero

OSR_Community_User · March 1, 2006, 10:48am

Hello,

I am working on a driver that is loading USBScan.sys. I am running into
a kernel trap. I was wondering if someone could take a look and see what
exactly is causing the trap.

USBscan.SYs: USPnp: Enter…

USBscan.SYs: USPnp: IRP_MJ_PNP

USBscan.SYs: USPnp: IRP_MN_QUERY_DEVICE_RELATIONS

USBscan.SYs: USPnp: Passed Pnp Irp down, status = c00000bb

USBscan.SYs: USPnp: WARNING!! IRP Status failed, status = c00000bb

USBscan.SYs: USPnP: Leaving… Status = 0xc00000bb

USBscan.SYs: USIncrementIoCount: Enter…

USBscan.SYs: USIncrementIoCount: Leaving… IoCount=0x2, Status=VOID

USBscan.SYs: USOpen: CreateFile name=(null), Length=0.

USBscan.SYs: UsbScanReadDeviceRegistry: Entering…

USBscan.SYs: UsbScanReadDeviceRegistry: Reg-key “TimeoutRead” doesn’t exist.

USBscan.SYs: UsbScanReadDeviceRegistry: Leaving… Status=0xc0000034

USBscan.SYs: USOpen: Default Read timeout=0x78sec.

USBscan.SYs: UsbScanReadDeviceRegistry: Entering…

USBscan.SYs: UsbScanReadDeviceRegistry: Reg-key “TimeoutWrite” doesn’t
exist.

USBscan.SYs: UsbScanReadDeviceRegistry: Leaving… Status=0xc0000034

USBscan.SYs: USOpen: Default Write timeout=0x78sec.

USBscan.SYs: UsbScanReadDeviceRegistry: Entering…

USBscan.SYs: UsbScanReadDeviceRegistry: Reg-key “TimeoutEvent” doesn’t
exist.

USBscan.SYs: UsbScanReadDeviceRegistry: Leaving… Status=0xc0000034

USBscan.SYs: USOpen: Default Event timeout=0x0sec.

USBscan.SYs: USDecrementIoCount: Enter…

USBscan.SYs: USDecrementIoCount: Leaving… IoCount(=Ret)=0x1

USBscan.SYs: USOpen: Leaving… Status = 0.

USBscan.SYs: USOpen: Enter…

USBscan.SYs: USIncrementIoCount: Enter…

USBscan.SYs: USIncrementIoCount: Leaving… IoCount=0x2, Status=VOID

USBscan.SYs: USOpen: CreateFile name=(null), Length=0.

USBscan.SYs: UsbScanReadDeviceRegistry: Entering…

USBscan.SYs: UsbScanReadDeviceRegistry: Reg-key “TimeoutRead” doesn’t exist.

USBscan.SYs: UsbScanReadDeviceRegistry: Leaving… Status=0xc0000034

USBscan.SYs: USOpen: Default Read timeout=0x78sec.

USBscan.SYs: UsbScanReadDeviceRegistry: Entering…

USBscan.SYs: UsbScanReadDeviceRegistry: Reg-key “TimeoutWrite” doesn’t
exist.

USBscan.SYs: UsbScanReadDeviceRegistry: Leaving… Status=0xc0000034

USBscan.SYs: USOpen: Default Write timeout=0x78sec.

USBscan.SYs: UsbScanReadDeviceRegistry: Entering…

USBscan.SYs: UsbScanReadDeviceRegistry: Reg-key “TimeoutEvent” doesn’t
exist.

USBscan.SYs: UsbScanReadDeviceRegistry: Leaving… Status=0xc0000034

USBscan.SYs: USOpen: Default Event timeout=0x0sec.

USBscan.SYs: USDecrementIoCount: Enter…

USBscan.SYs: USDecrementIoCount: Leaving… IoCount(=Ret)=0x1

USBscan.SYs: USOpen: Leaving… Status = 0.

USBscan.SYs: USDeviceControl: Enter…

USBscan.SYs: USIncrementIoCount: Enter…

USBscan.SYs: USIncrementIoCount: Leaving… IoCount=0x2, Status=VOID

USBscan.SYs: USDeviceControl: Control code 0x80002028 = USBscan.SYs:
USDeviceControl: IOCTL_GET_PIPE_CONFIGURATION

USBscan.SYs: USDecrementIoCount: Enter…

USBscan.SYs: USDecrementIoCount: Leaving… IoCount(=Ret)=0x1

USBscan.SYs: USDeviceControl: Leaving… Status = 0x0

USBscan.SYs: USWrite: Enter…

USBscan.SYs: USIncrementIoCount: Enter…

USBscan.SYs: USIncrementIoCount: Leaving… IoCount=0x2, Status=VOID

USBscan.SYs: USWrite: Timeout is set to 0x78 sec.

USBscan.SYs: MyDebugDump: Enter…

USBscan.SYs: MyDebugDump: Passing buffer. Size=0x10.

USBscan.SYs: +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +a +b +c +d +e +f

USBscan.SYs: ------------------------------------------------------------

USBscan.SYs: F8B17DB8 : 10 00 00 00 01 00 02 10 - 00 00 00 00 01 00 00 00

USBscan.SYs: ------------------------------------------------------------

USBscan.SYs: MyDebugDump: Leaving… Status=0x0, Ret=VOID.

USBscan.SYs: USTransfer: Enter…

USBscan.SYs: USGetPipeIndexToUse: Enter…

USBscan.SYs: USGetPipeIndexToUse: Leaving… passed=0, returning=0.

USBscan.SYs: USTransfer: Transfer [pipe 0] called. size = 16, pBuffer =
0x00000000, Mdl = 0x82683940

*** Fatal System Error: 0x0000007f

(0x00000000,0x00000000,0x00000000,0x00000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.

Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Probably caused by: usbscan.sys ( usbscan!USTransfer+5f6 )

kd> !analyze -v

UNEXPECTED_KERNEL_MODE_TRAP (7f)

This means a trap occurred in kernel mode, and it’s a trap of a kind

that the kernel isn’t allowed to have/catch (bound trap) or that

is always instant death (double fault). The first number in the

bugcheck params is the number of the trap (8 = double fault, etc)

Consult an Intel x86 family manual to learn more about what these

traps are. Here is a *portion* of those codes:

If kv shows a taskGate

use .tss on the part before the colon, then kv.

Else if kv shows a trapframe

use .trap on that value

Else

.trap on the appropriate frame will show where the trap was taken

(on x86, this will be the ebp that goes with the procedure KiTrap)

Endif

kb will then show the corrected stack.

Arguments:

Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO

Arg2: 00000000

Arg3: 00000000

Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_0

TRAP_FRAME: f81f2b58 – (.trap fffffffff81f2b58)

ErrCode = 00000000

eax=00000010 ebx=82686710 ecx=82040438 edx=00000000 esi=820513d8
edi=82051420

eip=eedce4ca esp=f81f2bcc ebp=f81f2c08 iopl=0 nv up ei pl zr na po
nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246

usbscan!USTransfer+0x5f6:

eedce4ca f775e4 div dword ptr [ebp-0x1c]
ss:0010:f81f2bec=00000000

Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8053225b to 804e3592

STACK_TEXT:

f81f26a8 8053225b 00000003 f81f2a04 00000000
nt!RtlpBreakWithStatusInstruction

f81f26f4 80532d2e 00000003 eedce4ca 820513d8 nt!KiBugCheckDebugBreak+0x19

f81f2ad4 805332f3 0000007f 00000000 00000000 nt!KeBugCheck2+0x574

f81f2af4 8062150f 0000007f eedce4ca 820513d8 nt!KeBugCheck+0x14

f81f2b4c 804df3d0 f81f2b58 f81f2c08 eedce4ca
nt!Ki386CheckDivideByZeroTrap+0x41

f81f2b4c eedce4ca f81f2b58 f81f2c08 eedce4ca nt!KiTrap00+0x83

f81f2c08 eedcefcc 82040438 83c40f00 00000000 usbscan!USTransfer+0x5f6

f81f2c3c 804e37f7 82040438 00000078 806ee2e8 usbscan!USWrite+0x190

f81f2c4c 80669cc5 82385fb8 806ee2d0 83c40f00 nt!IopfCallDriver+0x31

f81f2c70 8056a101 83c40fdc 00000000 83c40f00 nt!IovCallDriver+0xa0

f81f2c84 805784c0 82040438 83c40f00 82648a58
nt!IopSynchronousServiceTail+0x60

f81f2d38 804de7ec 00000210 00000000 00000000 nt!NtWriteFile+0x602

f81f2d38 7c90eb94 00000210 00000000 00000000 nt!KiFastCallEntry+0xf8

0007f6ac 7c90e9ff 7c81100e 00000210 00000000 ntdll!KiFastSystemCallRet

0007f6b0 7c81100e 00000210 00000000 00000000 ntdll!ZwWriteFile+0xc

0007f710 10014c9c 00000210 006b3db8 00000010 kernel32!WriteFile+0xf7

WARNING: Stack unwind information not available. Following frames may be
wrong.

0007f778 10013e2d 00000000 00000010 00001002
HPkptp6!DllGetClassObject+0xf5a2

0007f794 10010f61 10023ae0 00000010 0007f7f8
HPkptp6!DllGetClassObject+0xe733

0007f80c 1000428f 006b35b0 000bc394 006b3624
HPkptp6!DllGetClassObject+0xb867

0007f850 10001cde 006b35b0 10000000 00000178 HPkptp6+0x428f

0007fa90 75abaab2 006b35b0 000bc394 00000002 HPkptp6+0x1cde

0007fad0 75abae91 000bc394 00000002 00000178
wiaservc!CDrvWrap::STI_Initialize+0x35

0007fb04 75ac771a 00000178 00000002 000b25e8
wiaservc!CDrvWrap::LoadInitDriver+0x179

0007fb20 75ab979b 00000001 00000fa0 000ad828
wiaservc!ACTIVE_DEVICE::LoadDriver+0xe8

0007fc78 75aba6cd 00000002 00000000 00000000
wiaservc!CWiaDevMan::EnumDevNodeDevices+0x20a

0007fca0 75aba761 00000000 75abcb04 00000000
wiaservc!CWiaDevMan::ReEnumerateDevices+0xa9

0007fca8 75abcb04 00000000 0000000b 0007fd7c
wiaservc!CWiaDevMan::ProcessDeviceArrival+0x7

0007fcc0 75ac8670 00008000 00094440 000995d8
wiaservc!CMsgHandler::HandlePnPEvent+0x1f8

0007fcdc 77deb603 0000000b 00008000 00094440
wiaservc!StiServiceCtrlHandler+0x150

0007fd50 77deb568 00000074 0007fd7c 00000216 ADVAPI32!ScDispatcherLoop+0x266

0007ffb0 01002585 00096398 0007fbc8 00000000
ADVAPI32!StartServiceCtrlDispatcherW+0xe3

0007ffc0 7c816d4f 0007fbc8 00000000 7ffde000 svchost!_wmainCRTStartup+0x77

0007fff0 00000000 01002509 00000000 78746341 kernel32!BaseProcessStart+0x23

STACK_COMMAND: kb

FOLLOWUP_IP:

usbscan!USTransfer+5f6

eedce4ca f775e4 div dword ptr [ebp-0x1c]

FAULTING_SOURCE_CODE:

SYMBOL_STACK_INDEX: 6

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: usbscan!USTransfer+5f6

MODULE_NAME: usbscan

IMAGE_NAME: usbscan.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41108a05

FAILURE_BUCKET_ID: 0x7f_0_VRF_usbscan!USTransfer+5f6

BUCKET_ID: 0x7f_0_VRF_usbscan!USTransfer+5f6

Followup: MachineOwner

Best Regards,

-Randy

Tim_Roberts · March 1, 2006, 12:30pm

Randal Erman wrote:

Hello,

I am working on a driver that is loading USBScan.sys. I am
running into a kernel trap. I was wondering if someone could take a
look and see what exactly is causing the trap.

Well, it’s hard to see how it could possibly be more explicit:

*** Fatal System Error: 0x0000007f

(0x00000000,0x00000000,0x00000000,0x00000000)

…

Arguments:

Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO

eax=00000010 ebx=82686710 ecx=82040438 edx=00000000 esi=820513d8
edi=82051420

eip=eedce4ca esp=f81f2bcc ebp=f81f2c08 iopl=0 nv up ei pl zr
na po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246

usbscan!USTransfer+0x5f6:

eedce4ca f775e4 div dword ptr [ebp-0x1c]
ss:0010:f81f2bec=00000000

This last part of the trace is interesting:

USBscan.SYs: MyDebugDump: Enter…

USBscan.SYs: MyDebugDump: Passing buffer. Size=0x10.

USBscan.SYs: +0 +1 +2 +3 +4 +5 +6 +7 +8 +9 +a +b +c +d +e +f

USBscan.SYs: ------------------------------------------------------------

USBscan.SYs: F8B17DB8 : 10 00 00 00 01 00 02 10 - 00 00 00 00 01 00 00 00

USBscan.SYs: ------------------------------------------------------------

USBscan.SYs: MyDebugDump: Leaving… Status=0x0, Ret=VOID.

USBscan.SYs: USTransfer: Enter…

USBscan.SYs: USTransfer: Transfer [pipe 0] called. size = 16, pBuffer
= 0x00000000, Mdl = 0x82683940

Note that pBuffer is 0. One does not like to see variables starting
with “p” that have the value 0.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Michal_Vodicka-2 · March 1, 2006, 5:52pm

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Tim Roberts[SMTP:xxxxx@probo.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, March 01, 2006 6:29 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] USBSCAN.SYS Divide by zero

> USBscan.SYs: USTransfer: Transfer [pipe 0] called. size = 16, pBuffer
> = 0x00000000, Mdl = 0x82683940
>

Note that pBuffer is 0. One does not like to see variables starting
with “p” that have the value 0.

It may not be a problem in this case. If an URB is formatted using UsbBuildVendorRequest(), it uses pBuffer or Mdl parameter and the other is NULL. In above trace Mdl has a value which seems reasonable. Note the exception is divided by zero which implies different problems than NULL buffer. I’d examine usbscan code which raised exception; it probably got unexpected zero parameter and tried to divide something with it.

BTW, usbscan interface it very poorly designed. There are IOCTLs with embedded pointers :-# I have a driver which emulates this interface for backward compatibility with our old software and it became real pain when I ported it to wCE and tried to use remote API to access it. I expect next pain when porting driver to 64-bits.